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Abstract —The depth-bounded fragment of the 7r-calculus is 
an expressive class of systems enjoying decidability of some 
important verification problems. Unfortunately membership of 
the fragment is undecidable. We propose a novel type system, 
parameterised over a finite forest, that formalises name usage by 
TT-terms in a manner that respects the forest. Type checking is 
decidable and type inference is computable; furthermore typable 
TT-terms are guaranteed to be depth bounded. 

The second contribution of the paper is a proof of equivalence 
between the semantics of typable terms and nested data class 
memory automata, a class of automata over data words. We 
believe this connection can help to establish new links between 
the rich theory of infinite-alphabet automata and nominal calculi. 

I. Introduction 

The TT-calculus [14] is a concise yet expressive model of 
concurrent computation. Its view of a concurrent system is a set 
of processes exchanging messages over channels, either private 
or public. Both processes and private channels can be created 
dynamically. A key feature of the calculus is mobility: a private 
channel name can be sent as a message over a public one and 
later used to exchange messages with an initially disconnected 
party. The communication topology of a 7r-calculus system, 
i.e., the graph linking processes that share channels, is therefore 
dynamically evolving, in contrast to those of simpler process 
calculi such as CCS. 

From a verification point of view, proving properties of 
TT-calculus terms is challenging: the full TT-calculus is Turing- 
complete. As a consequence, a lot of research effort has been 
devoted to defining fragments of Tr-calculus that could be 
verified automatically while retaining as much expressivity 
as possible. To date, the most expressive fragment that 
has decidable verification problems is the depth-bounded tt- 
calculus [8]. Roughly speaking, the depth of a Tr-calculus term 
can be understood as the maximum length of the simple (i.e non 
looping) paths in the communication topology of the term. A 
term is depth-bounded if there exists a fc S N such that the 
maximal nested depth of restriction of each reachable term 
is bounded by k. Notably, depth-bounded systems can have 
an infinite state-space and generate unboundedly many names. 
Besides enabling the design of procedures for deciding such 
important verification problems as termination or coverability, 
depth boundedness can be useful as a correctness property of 
a system in itself. Consider, for example, a system modelling 
an unbounded number of processes, each maintaining a private 


queue of tasks and communicating via message-passing. In 
the TT-calculus, structures such as lists and queues are typically 
modelled using private channels to represent the “next” pointers. 
Proving a bound in depth k for such a system would guarantee 
that none of the queues grows unboundedly, which is an oft- 
desired resource-usage property. 

Unfortunately, depth boundedness is a semantic property, it is 
undecidable whether a given arbitrary Tr-calculus term is depth- 
bounded. It has recently been proved that the problem becomes 
decidable if the bound k is fixed [18] but the complexity is 
very high. 

Contributions 

The first contribution of this paper is a novel fragment of 
TT-calculus which we call typably hierarchical, which is a 
proper subset of the depth-bounded Tr-calculus. This fragment 
is defined by means of a type system with decidable checking 
and inference. The typably hierarchical fragment is rather 
expressive: it includes terms that are unbounded in the number 
of private channels and exhibit mobility. 

The type system itself is based on the novel notion of 
T-compatibility, where T is a given finite forest. We start 
from the observation that the communication topologies of 
depth bounded terms often exhibit a hierarchical structure: 
channels are organisable into layers with decreasing degree 
of sharing. Consider the example of an unbounded number of 
clients communicating with their local server: a message from 
a client containing a private channel is sent to the server’s 
channel, the server replies to the client’s request on the client’s 
private channel. While the server’s channel is shared among 
all the clients, the private channel of each client is shared only 
between itself and the server. T-compatibility formalises and 
generalises this intuition. Roughly speaking, we associate to 
each channel name a base type which is a node in a (finite) 
forest T. The forest T represents the hierarchical relationship 
between channels: it is the blueprint according to which one can 
organise the relationship between channels in each reachable 
term. 

More precisely, the names hierarchy imposes constraints 
on the scopes of private names that can be considered valid. 
Consider the term {vh.{d{b).b{y))) || a{x).{yc.x{c)): two 
parallel processes ready to synchronise on the public channel 
a. Upon synchronisation, the private name b —known only by 
the first process—will be transmitted to the second process 


which will “migrate” under the scope of b. The result of this 
communication is the term \b.{b{y) || vc.(b(c})), note how 
the migration nests the scope of c in the scope of b. If T 
dictates that c is higher in the hierarchy than b the scoping 
resulting from the communication would be invalid: scope 
nesting should always respect the hierarchy. The type system 
we present constrains the use of names so that each term that 
is reachable from a typably hierarchical term is guaranteed 
to have scopes respecting T. From this guarantee it can be 
shown that typably hierarchical terms have a depth bounded by 
the height of T. We believe that the notion of T-compatibility 
has potential as a specification device: it allows the user to 
specify the desired relationship between channels instead of 
just a numeric bound on depth. 

After defining the typably hierarchical fragment, we turn 
to the question: is there an automata-based model that can 
represent the same set of systems? The second contribution of 
this paper is an encoding of typably hierarchical into Nested 
Data Class Memory Automata [3], a class of automata over data- 
words (i.e. finite words over infinite alphabets). An encoding of 
Nested Data Class Memory Automata into typably hierarchical 
terms is also presented, showing that the two models are equi- 
expressive. The two encodings are heavily based on the notion 
of T-compatibility and open an approach to fruitful interactions 
between process algebra and automata over infinite alphabets. 

II. Preliminaries 

Labelled forests 

A forest is a simple, acyclic, directed graph / = {Nf,<f) 
such that the edge relation, Ny Nf, is the parent 

map which is defined on every node of the forest except the 
root{s). A path is a sequence of nodes, rii ... Uk, such that 
for each i < k, rii <f rii+i. Thus every node of a forest 
has a unique path to a root (and it follows that that root is 
unique). Henceforth we assume that all forests are finite. We 
write paths(/) for the set of paths in /. The height of a forest, 
height)/), is the length of its longest path. 

An L-labelled forest is a pair ip = {fip,l^) where f^ is 
a forest and > L is a labelling function on nodes. 

Given a path ni... of f^p, its trace is the induced sequence 
(■tpijii)... £^{nk)- By abuse of language, a trace is an element 
of L* which is the trace of some path in the forest. We write 
traces):^) for the set of traces of the labelled forest. 

We define T-labelled forests inductively from the empty 
forest (0,0). We write ipi l±) (p 2 for the disjoint union of 
forests (fi and ip 2 , and lYp] for the forest with a single root, 
labelled with I G L, which has the respective roots of the 
forest ip as children. Since the choice of the set of nodes is 
irrelevant, we will always interpret equality between forests 
up to isomorphism (i.e. a bijection on nodes respecting parent 
and labeling). 

The TT-calculus 

We use a 7r-calculus with guarded replication to express 
recursion [11]. Fix a universe Af of names representing channels 


and messages occurring in communications. The syntax follows 
the grammar: 

V 3 P,Q ::=Vx.P | Pi || P 2 | M | M* process 
M ::= 0 \ M + M \ tti.Pi choice 

TT ::= a{x) \ d{b) \ r prefix 

Structural congruence is defined as the smallest congruence 
closed by a-conversion of bound names commutativity and 
associativity of choice and parallel composition with 0 as 
the neutral element, and the following laws for restriction, 
replication and scope extrusion:' 

va;.0 = 0 vx.Vy.P = Vy.Vx.P 0* = 0 

M* = M\\M* P\\va.Q = Va.{P\\Q) (if a ^ fn(P)) 

The name x is bound in both vx.P, and in a{x).P. We will 
write fn(P), bn(P) and bnj^(P) for the set of free, bound 
and restriction-bound names in P, respectively. A sub-term is 
active if it is not under a prefix. A name is active when it is 
bound by an active restriction. The set activev(P) is the set 
of the active names of P. Terms of the form M and M* are 
called sequential. We write S for the set of all sequential terms. 
seq(P) is the set of all active sequential processes of P. 

We will often rely on the following mild assumption, that 
the choice of names is unambiguous, especially when selecting 
a representative for a congraence class. 

Name Uniqueness Assumption. Each name in P is bound at 
most once; and fn(P) n bn(P) = 0. 

Note that channels are unary; extending our work to the 
polyadic case is strightforward but we only consider the unary 
case for conciseness. 

As we will see in the rest of the paper, the notions 
of depth and of hierarchy between names rely heavily on 
structural congruence. In particular, given a certain structure 
on names, there will be a specific representative of the 
stmctural congruence class that exhibits the desired properties. 
Nevertheless, we cannot assume the input term is always 
presented as that specific representative; worse yet, when the 
stmcture on names is not fixed, as in the case of type inference, 
we cannot fix any particular representative and be sure it will 
witness the desired properties. So, instead, in the semantics 
and in the type system, we manipulate a neutral representative 
called normal form, which is a variant of the standard fonn [13]. 
In this way we are not distracted by the particular syntactic 
representation we are presented with. 

We say that a term P is in normal form (P G Pnf) if it is 
in standard form and each of its inactive subterms is also in 
normal form. Formally, each process in normal form follows 
the grammar 

Pnf 9 jy ::= VXi. ■ --VXn.iAi II • • • II Am) 

A ::= 7Ti.Ni -f • • • -f tt^.N^ 

I [tTi.Ni -f • • • -f TTji.Nn) 

^Technically, the 0* = 0 rule is not in the standard definition, but this does 
not affect the reduction semantics. 
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where the sequences xi.. .Xn and Ai... may be empty; 
when they are both empty the normal form is the term 0. 
We further assume w.l.o.g. that a normal form satisfies Name 
Uniqueness. Since the order of appearance of the restrictions, 
sequential terms or choices in a normal form is irrelevant in 
the technical development of our results, we use the following 
abbreviations. Given a finite set of indexes I = {ii,..., *„} 
we write for {Ai^ II ••• II Ai^), which is 0 when 

I is empty; and for + • • ■ + 

This notation is justified by commutativity and associativity 
of the parallel and choice operators. We also write vX.P or 
va;i X 2 - ■ ■ Xn-P for vxi. ■ ■ -VXn-P when X = {xi,, a;„}, 
or just P when X is empty; this is justified by the structural 
laws of restrictions. When X and Y are disjoint sets of names, 
we use juxtaposition for union. 

Every process P G V is structurally congruent to a process 
in normal form. The function nf: 7^ —defined in Figure 1, 
extracts, from a term, a structurally equivalent normal form. 

We are interested in the reduction semantics of a 7r-term, 
which can be described using the following rule. 

Definition 1 (Semantics of 7r-calculus). The operational 
semantics of 7r-calculus is defined by the transition system 
on TT-terms, with transitions satisfying P ^ Q if 

(i) P = VlU.(^|| i?|| C)GPnf, 

(ii) S = {a{b).vYs.S') + Ms, 

(hi) R = {alx).vYr.R') + Mr, 

(iv) Q = vWYsYr.{S' II R'[b/x] II C), 
or if 

(i) P = vW.{t.vY.P' II C) G Pnf, 

(ii) Q = vWY.{P' II C). 

We define the set of reachable configurations as 
Reach(P) := {Q \ P —>■* Q }, writing -G* to mean the 
reflexive, transitive closure of — 

Note that the use of structural congruence takes care of 
unfolding replications, if necessary. 

Example 1 (Server/Client system). Consider the term vs c.P 
where: 

P = 5'* II C* \\M* S = s{x).vd.x{d) 

C = c{m).{s{m) II m{y).c{m)) M = T.vm.c{m) 

The term S*, which is presented in normal form, represents a 
server listening to a port s for a client’s requests. A request is a 
channel x that the client sends to the server for exchanging the 
response. After receiving x the server creates a new name d and 
sends it over x. The term M* creates unboundedly many clients, 
each with its own private mailbox m. A client on a mailbox m 
repeatedly sends requests to the server and concurrently waits 
for the answer on the mailbox before recursing. An example 
run of the system: 

Vs c.P —>■ vs CTO. (P II c(to)) 

—> Vs c TO.(P II s(to) II m(y).c{m)) 

-G Vs cm d.(P II fn{d) || m{y).c{m)) 

—> Vs cm d.{P II c(to)) = Vs cm.{P || c(to)) 


Example 2 (Stack-like system). Consider the normal form 

vX.{S* II s(a)) where X = {s,n,v,a} and 

S = s{x).vb.{{v{b).n{x)) || s(6)) 

The term s(a) represents a stack with top element a; the stack 
is in an infinite loop that pushes new names (copies of b): this 
is represented by the term v{b).n{a) || s{b) indicating that the 
top value is b, the next is a and the stack now starts from b. 
An example run: 

vW(5* II s(a)) 

^VX.(5* II Vb.{{v{b}.n{a))\\ s(6))) 

^ VX.(5* II Vbb'.{{v{b).n{a}) II {v{b').n{b)) || s(6'))) 

The following definitions are minor variations of (but 
equivalent to) the concepts introduced in [8].^ 

Definition 2 (nestv, depth, depth-bounded term). The nesting 
of restrictions of a term is given by the function 

nestv(M) := nestv(M*) := 0 
nestv(va;.P) := 1 -f nestv(P) 
nestv(P II Q) ■= max(nestv(P),nestv((5)). 

The depth of a term is defined as the minimal nesting of 
restrictions in its congmence class: 

depth(P) := min{nestv(Q) I P = Q}- 

A term P G V is depth-bounded if there exists a fc G N such 
that for each Q G Reach(P), depth((3) < k. 

Example 3. The term in Example 1 is depth bounded: all the 
reachable terms are congment to terms of the form 

Q^Jk=vsc.{P\\ II Pegs'll Ans^) 

for some i,j, k G N where N = vm.c{m), Req = Vm.{s{m) || 
m{y).c{m)), Ans =vm.{vd.m{d) || m{y).c{m)) and by Q" 

we mean the parallel composition of n copies of the term Q. 
For any i,j, k, nestv(Qijfc) < 4: the longest chain of nested 
restrictions is s, c, to, d. 

The term in Example 2 is unbounded in depth: the number 
of nested copies of b grows every time a push is performed; it 
is not possible to extmde their scope to reduce the number of 
nested levels. 

Note that both terms are not name bounded (in the sense 
of [6]): the number of active restrictions in the reachable terms 
is not bounded. 

Definition 3 (Forest representation). We represent the struc¬ 
tural congruence class of a term P G V with the set of 

^In [8] these functions are defined on fragments. It is easy to prove that our 
definition of nestv coincides with the one in [8] on fragments and that for 
any fragment F and non-fragment P, if = P then nestv (P) > nestv (P). 
As a consequence our definition of depth coincides with the one in [8]. 
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nf(0) := 0 


nf(7r.P) := 7r.nf(P) 


nf(va;.P) :=Va;. nf(P) 


nf (M + M') 


{ nf(M) if nf(M') = 0 ^ nf(M) 

nf(M') if nf(M) = 0 

nf(M)+nf(M') otherwise 


nf(M*) 


(nf(M))* if nf(M) ^ 0 
0 otherwise 


nf(P II Q) := 


nf(P) 

if nf(g) 

nf(g) 

if nf(P) 

vXpXq.{Np II Nq) 

if nf(g) 


= 0 ^ nf(P) 

= 0 

= vXQ.NQ,nf(P)=vXp.Np 


and activev(-/Vp) = activev(-/VQ) = 0 


Figure 1. Definition of the nf: 7^ ^ T^nf function. 


labelled forests P|P] := {forest(Q) | Q = P} with labels 
in activev(P) W seq(P) where forest(Q) is dehned as 

{ a;[forest((5')] if Q = Vx.Q' 

forest(Qi) l±) forest(Q 2 ) if Q = Qi || Q 2 

Q[(0,0)] if Q is sequential 

(0,0) ifg = o 

Note that only leaves are labelled with sequential processes. 

The restriction height, heighg(forest(P)), is the length 
of the longest path formed of nodes labelled with names in 

forest (P). 

Clearly, for any P G V, depth(P) = min {heighty(i^) | 

^GPlPj}. 

Lemma 1. Let (p be a forest with labels in ff ^ S. Then 
p = forest (Q) with Q = where 

Qv> 

:= GN\nG N^} 

I := {(n,A) I = A S 5} 

provided 

1) Vn G Nip, if iip{n) G S then n has no children in p, and 

2) Vn, n' G Np, if £ip{n) = £ip{n') G Af then n = n', and 

3) \/n C Nip, ifiip{n) = ^ S 5 then for each x £ X,^nfn(y4) 
there exists n' <ip n such that £p{n') = x. 

Proof We proceed by induction on the structure of p. The 
base case is when p = (0,0), for which we have = 0 and 
p = forest(O). 

When p = pq^ Pi we have that if conditions 1, 2 and 3 
hold for p, they must hold for pQ and pi as well, hence we can 
apply the induction hypothesis to them obtaining pi forest (Qi) 
with Qi = Qip. (i G {0,1}). We have p — forest(go II 
Qi) by definition of forest, and we want to prove that Qo || 
Qi = Qip. By condition 2 on p, Xp^ and Xp-^ must be 
disjoint; furthermore, by condition 3 on both p^ and pi we 
can conclude that fii(Qp.)nXp^_. = 0. We can therefore apply 
scope extrusion: Qo |] Qi = Qp^ || Qp^ = vXp^Xp^fPp^ || 

Pipi) — Qip- 


The last case is when p = l[p']- Suppose conditions 1, 2 
and 3 hold for p. We distinguish two cases. If Z = A € 5, 
by 1 we have p' = (0,0), p = forest(A) and A = Qp. If 
I = X G N then we observe that conditions 1, 2 and 3 hold 
for p' under the assumption that they hold for p. Therefore 
p' = forest(g') with Q' = Qp/, and, by definition of forest, 
p = forest(va;.g'). By condition 2 we have x ^ Xpi so 
VX.Q' = Vx.Qpi = v(X U {a:}).P,^/ = Qp. □ 

III. The notion of T-compatibility 

In this section we will introduce the concept of T -compat¬ 
ibility, which is a central tool in our constructions. First we 
will introduce types, which annotate names, and postulate that 
they are arranged as a forest (T, a). Intuitively, by annotating 
names with types we impose a hierarchy on them, and T- 
compatibility of a term P will mean that the structure of P 
respects this hierarchy. 

For the rest of the paper we will fix a finite forest of base 
types (T, a) where ni a 77,2 means that “ni is the parent of 
712 ”. We write < and < for the reflexive transitive and the 
transitive closure of a, respectively. 

Types are of the form 

r ::= f I f[T] 

where f £ T is a base type. A name with type t cannot be used 
as a channel but can be used as a message; a name with type 
^[t] can be used to transmit a name of type r. We will write 
base(r) for t when r = t[r'] or t = f. Note that these are (a 
fragment of) the FO-types in the sense of Pierce and Sangiorgi 
[16]. An environment F is a partial map from names to types, 
which we will write as a set of type assignments, x :t. Given a 
set of names X and an environment F, we write r(Ar) for the 
set {r(a::) \ x G X D dom(r)}. Given two environments F and 
F' with dom(r) n dom(r') = 0, we write FF' for their union. 
For a type environment F we define min 7 -(r) := {(a;: t) £ F | 
V(7/:r') £ F. base(r') f base(T)}. 

From now on, we will assume every 7r-term is annotated 
with types: in a restriction vX, Ai is a set of type assignments. 

Definition 4 (Annotated term). A T-annotated ir-term (or 
simply annotated n-term) P G has the same syntax as 


4 



1 

2 

1 


3 

^ 1 

4 

c 

5 ^5 C 

b 

1 

Ai A2 A3 A4 

1 

Ai ^b^ A3 

A2 A4 


Ai 

A2 

1 

C A4 

1 

A3 

1 1 

Ai A3 

A2 A4 

A2 0, A3 

/ \ " 

Ai A4 


Figure 2. Examples of forests in J^[P] of Example 4: P = ya b c.(Ai || A 2 || A^ || A 4 ) where Ai = a(x), A 2 = b(x), A 3 = c(a;) and A 4 = a(b). 


regular 7r-terms except restrictions take the form vx : t. The 
semantics is the same, except type annotations get copied when 
a name is duplicated or renamed by structural congruence. 
The dehnition of forest representation is also extended to 
annotated 7r-terms by changing the case when Q =vx: t.Q' 
to (a;, <)[forest((3')], where base(T) = t. The forests in J^|P] 
will thus have labels in (activev(T’) x T) l±)seq(P). We write 
for the set of forests with labels in {Af x T) tt) 5. The set 
contains all the annotated 7r-terms in normal form. 

Given a normal form P = vX.Y\^^jAi we say that Ai is 
linked to Aj in P, written i Op j, if fn(^i) n fn(Aj) n {x \ 
{x :t) G X} id. We also dehne the tied-to relation as the 
transitive closure of G4p. l.e. Ai is tied to Aj, written i j, 
if 3/c £ I. i GGp k A k ^p j. Furthermore, we say that 
a name y is tied to Ai in P, written y Op i, if 3j G I. y G 
fn(A^) A j ^p i. Given an input-prehxed normal form a{y).P 
where P — yX.Yli^jAi, we say that Ai is migratable in 
a{y).P, written Mig^(j^) p(i), if y dp i. 

The tied-to relation may seem obscure at hrst. Its meaning 
is better explained by the following lemma which indicates 
how this relation fundamentally constrains the possible shape 
of the forest of a term. 

Lemma 2. Let P = vX.Y\i^jAi G ifi^pj then any 
forest ip G containing two leaves labelled with Ai and 

Aj respectively, will be such that these leaves belong to the 
same tree (i.e. have a common ancestor in ip). 

Proof. We show that the claim holds in the case where Ai 
is linked to Aj in P. From this, a simple induction over the 
length of linked-to steps required to prove i ^p j, can prove 
the lemma. 

Suppose i GGp j. Let Y — fn(Ai) n iw{Aj) n {x \ 
{x:t) G X}, we have Y Both Ai and Aj are in the scope 
of each of the restrictions bounding names y gY m. any of the 
processes Q in the congruence class of P, hence, by dehnition 
of forest, the nodes labelled with Ai and Aj generated by 
forest((5) will have nodes labelled with (y, base(X(y))) as 
common ancestors. □ 

Example 4. Take the normal form P = vabc.^Ai || A 2 || A 3 || 
^ 14 ) where Ai = a{x), A 2 = b{x), A 3 = c{x) and A 4 = d{b). 
We have 1 Op 4, 2 Op 4, therefore 1 ^p 2 ^p 4 and a<p 2. 
In Figure 2 we show some of the forests in Forest 1 

represents forest(P). The fact that Ai,A 2 and A 4 are tied is 
rehected by the fact that none of the forests place them in 
disjoint trees. Now suppose we select only the forests in -F|P] 


that have a as an ancestor of b\ in all the forests in this set, 
the nodes labelled with Ai , A 2 and A 4 have a as common 
ancestor (as in forests 1, 2, 3 and 4). In particular, in these 
forests A 2 is necessarily a descendent of a even if a is not 
one of its free names. 

Definition 5 (T-compatibility). Let P G be an annotated tt- 
term. A forest p G -F|P] is said to be T -compatible if for every 
trace ((xi, fi)... (xfe, tk)A) in p it holds that ti < ^2 • ■ • < ffc- 
P is said to be T-compatible if there exists a T-compatible 
forest in P|P]. A term is T-shaped if each of its subterms is 
T-compatible. 

Example 5. Let us hx T to be the forest s -< c x m x d. The 
normal form in Example 1 is T-compatible when s and c are 
annotated with types Tg and respectively, with base(rs) = s 
and base(rc) = c; indeed we have forest(v(s : Tg) (c: Tfj.P) = 
(s, s) [(c, c) [ S'* [] l±) C* [] l±) M* [] ]]. By annotating m and d with 
types with base type m and d respectively, the term is also 
T-shaped. 

Since T-compatibility is a condition on types, a-renaming 
does not interfere with it. 

Lemma 3. T forest (T) is T-compatible then for any term Q 
which is an a-renaming of P, forest (Q) is T-compatible. 

Lemma 4. Let P = vX.yii^jAi be a T-compatible normal 
form, Y f X and J f I. Then P' = vY.W^^jAj is T- 
compatible. 

Proof. Take a T-compatible forest p G T|T]. By Lemma 3 we 
can assume without loss of generality that p = forest (Q) where 
proving Q = P does not require a-renaming. Clearly, removing 
the leaves that do not correspond to sequential terms indexed 
by Y does not affect the T-compatibility of p. Similarly, if 
a restriction (x: r) G X is not in Y, we can remove the 
node of p labelled with (x,base(r)) by making its parent 
the new parent of its children. This operation is unambiguous 
under Name Uniqueness and does not affect T-compatibility, 
by transitivity of <. We then obtain a forest p' which is T- 
compatible and that, by Lemma 1, is the forest of a term 
congruent to the desired normal form P'. □ 

While many forests in T|T] can be witnesses of the T- 
compatibility of P, we want to characterise the shape of a 
witness that must exist if P is T-compatible. Such forest is 
identihed by <i) 7 -(nf (T)) where $ 7 -: -A Tp is the function 

dehned in Figure 3. We omit the subscript when irrelevant or 
clear from the context. 
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where P = vX. 


i±).e/Ma]} 

(l+J {(a;,base(T))[$r(vl"a;.njg/, 




(x-.t) G minr(X)}^ l±) 


if X = 0 
if X 7^ 0 


Ix — {i & I \ X <ip i} R — I \ (1J(^ . r)erainr{X) 

Yx = {{y.T) & X \ 3i & Ix .y & fn(>l,)} \ minr(X) Z = X \ (U(:c: r)eminr(x) U {x : t}) 


Figure 3. Definition of <£> 7 -: —> Tp. 


Example 6. In the run shown in Example 1, after three steps 
we reach Q =vs cm d.{P |j rn{d) || m{y).c{m)). The forest 
when T and types annotations are as in Example 5, is 


s 



S* C* M* 

m{y).c{m) d 
rn{d) 

where the nodes show only the name components of their labels 
for conciseness. Note how the scope of names is minimised 
while respecting T-compatibility. 

Consider the term P in Example 4, with annotations 
a:a[b[f]], 6 :b[f] and c:c[f']. Eorests 4 and 5 of Eigure 2 
represent $ 7 -(P) when T is a ^ b and b -< a respectively. 

Lemma 5. Let P G V^. Then: 

a) 4 * 7 -(P) is a T-compatible forest; 

b) 4 > 7 -(P) G -^|P] if and only if P is P-compatible; 

c) if P = Q G then ^p{P) G P|Q] if and only if Q is 
T -compatible. 

Proof Item a) is an easy induction on the cardinality of X. 

Item b) requires more work. By item a) 4>(P) is T- 
compatible so 4>(P) G -E|P] proves that P is T-compatible. 

To prove the <^=-direction we assume that P — vX. 
is T-compatible and proceed by induction on the cardinality of 
X to show that 4>(T) G T|T]. The base case is when X = %: 
4>(p) = = 

forest (P) G T|P]. For the induction step, we observe that 
X % implies min7-(2f) % so, Z (Z X and for each 

(x:t) G min7-(2f), Yx C X since x ^ Yx- This, together 
with Lemma 4, allows us to apply the induction hypotesis 
on the terms Pj. = Wx-W^^j^Aj and Pr = 
obtaining that there exist terms Qx = Px and Qp = Pp such 
that forest((5a:) = ^{Px) and forest((3R) = 4 )(Pr) where 
all the forests forest((5a;) and forest((5ft) are T-compatible. 
Let Q = Y{{v{x:t).Qx \ (x:t) G minr(^)} || Qp, then 
forest((5) = $(P). To prove the claim we only need to 
show that Q = P. We have Q = {v(x : 'r).vT..J|^g 7 I 
(x: r) G min7-(2f)} || Pp and we want to apply extru¬ 
sion to get Q = VTnin-(niG/„i„"^0 II = 

1+){T I (x:r) G minr(2f)}, Tmin = minr(2f) l±) l+J {IT | 
(x : r) G min 7 -(X)} which adds an obligation to prove that 

i) Ix are all pairwise disjoint so that /„iin is well-defined. 


ii) Yx are all pairwise disjoint and all disjoint from min7-(2f) 
so that Tnin IS Well-defined, 

iii) Yx n in{Aj) = 0 for every j G T with z x so that we 
can apply the extrusion rule. 

To prove condition i), assume by contradiction that there 
exists an j G / and names x, y G min 7 -(W) with x y, such 
that both X and y are tied to Ai in P. By transitivity of the tied- 
to relation, we have T = ly By Lemma 2 all the Aj with j G 
Ix need to be in the same tree in any forest p G T|P]. Since P 
is T-compatible there exist such a p which is T-compatible and 
has every Aj as label of leaves of the same tree. This tree will 
include a node Ux labelled with (x, base(X(x))) and a node Uy 
labelled with (y, base(2f(y))). By T-compatibility of p and the 
existence of a path between Ux and Uy we infer base(X(x)) < 
base( 2 f(y)) or base(W(y)) < base( 2 f(x)) which contradicts 
the assumption that x,y G min 7 -( 2 f). 

Condition ii) follows from condition i): suppose there exists 
2 i {z:t) G X \ZYxC\Yy for x y, then we would have that 
z G in{Ai) n fn(A 7 ) for some i G Ix and j G ly, but then 
i j, meaning that i G ly and j G Ix violating condition i). 
The fact that Yx H min 7 -(X) = 0 follows from the definition 
of Yx- The same reasoning proves condition iii). 

Now we have Q = vlTin- II r^p^r and 

we want to apply extrusion again to get Q = vEmin-^-n I 
i C (.^min W ^)} which is sound under the following conditions: 

iv) Tnin n Z = 0 , 

V) Ixain n P = 0, 

vi) Z n fn(Ai) = 0 for all j ^ P 

of which the first two hold trivially by construction, while 
the last follows from condition viii) below, as a name in the 
intersection of Z and a fn(Ai) would need to be in X but 
not in Tnin- To be able to conclude that Q = P it remains to 
prove that 

vii) I = /min W P and 

viii) X = Tnin W Z 

which are also trivially valid by inspection of their definitions. 
This concludes the proof for item b). 

Finally, for every Q G such that Q = P, ^{P) G T|Q] 
if and only if 4>(P) G T|P] by definition of T|—|; since 
4>(P) is T-compatible we can infer that Q is T-compatible if 
and only if 4>(P) G T|Q], which proves item c). □ 

Lemma 6. Let P = vX.W^^jAi G be a T-compatible 
normal form. Then for every trace ((xi,fi) ... {xkTk) Aj) in 
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the forest $(-P), for every i S {1,..., k}, we have Xi<ip j (i.e. 
Xi is tied to Aj in P). 

Proof Straightforward from the definition of in when a 
node labelled by (x, t) is introduced, its subtree is extracted 
from a recursive call on a term that contains all and only the 
sequential terms that are tied to x. □ 

Remark 1. $(P) satisfies conditions 1, 2 and 3 of Lemma 1. 

It is clear from the definition that if a 7 r-term P is T- 
compatible then depth(P) is bounded by the length of the 
longest strictly increasing chain in T ; since T is assumed to 
be finite, the bound on the depth is finite. 

Proposition 1. Let T be a forest and P an annotated iT-term. 
If every Q € Reach(P) is T-compatible, then P is depth- 
bounded. 

Example 1. Fix T to be the forest n -< v ^ s k a and take 
the term of Example 2 annotating it with types such that the 
base types of the names n,v,s,a and b are n,v,s, a and a 
respectively. The term vnvs a.{S* || s{a)) is T-compatible, 
but the term Q = vn?;sa 66 '. (S'* || (y{b).n{a)) || {v{P).n{b)) || 
s{b')), reachable from it, is not: b and b' have the same base 
type a but need to be in the same trace in any forest of T|Q]. 
As we have shown in Example 3, this term is not bounded in 
depth, so there cannot be any finite T such that every reachable 
term is T-compatible. 

IV. A TYPE SYSTEM FOR HIERARCHICAL TOPOLOGIES 

We now define a type system to prove depth boundedness. 
Our goal is to use Proposition 1 by devising a type system, 
parametrised over T, such that typability implies invariance of 
T-compatibility under reduction. Typability of a T-compatible 
term P would then imply that every term reachable from it is 
T-compatible, entailing depth boundedness of P. 

A judgement T Lj- P means that P G can be typed 
under assumptions T, over the tree T; we say that P is typable 
if r 1 - 7 - P is provable for some T and T. An arbitrary term 
P G is said to be typable if its normal form is. The typing 
rules are presented in Eigure 4. 

The type system presents several non-standard features. 
Eirst, it is defined on normal forms as opposed to general 
TT-terms. This choice is motivated by the fact that different 
syntactic presentations of the same term may be misleading 
when trying to analyse the relation between the structure of 
the term and T. The rules need to guarantee that a reduction 
will not break T-compatibility, which is a property of the 
congruence class of the term. As justified by Lemma 2, the 
scope of names in a congruence class may vary, but the tied-to 
relation puts constraints on the structure that must be obeyed 
by all members of the class. Therefore the type system is 
designed around this basic concept, rather than the specific 
scoping of any representative of the structural congruence class. 
Second, no type information is associated with the typed term, 
only restricted names hold type annotations. Third, while the 
rules are compositional, the constraints on base types have a 


global flavour due to the fact that they involve the structure of 
T which is a global parameter of typing proofs. 

Let us illustrate intuitively how the constraints enforced by 
the rules guarantee preservation of T-compatibility. Consider 
the term 

P = ve a.(vb.(a{b).A q^ || vd.(^a{x).Aj'^ 

with A = vc.(Ai II A 2 II A 3 ), Aq = b{y), Ai = x{c), 
A 2 = c(z).d(e} and A 3 = d(d}. Let T be the forest with 
te < ta < tb < tc and ta < td, where is the base type of the 
(omitted) annotation of the restriction vx, for x G {a, b, c, d, e}. 
The reader can check that forest(T) is T-compatible. In 
the traditional understanding of mobility, we would interpret 
the communication of b over x as an application of scope 
extrusion to include vd.(a(a:).A) in the scope of b and then 
syncronisation over a with the application of the substitution 
\b/x\ to A; note that the substitution is only valid because the 
scope of b has been extended to include the receiver. Our key 
observation is that we can instead interpret this communication 
as a migration of the subcomponents of A that do get their 
scopes changed by the reduction, from the scope of the receiver 
to the scope of the sender. For this operation to be sound, the 
subcomponents of A migrating to the sender’s scope cannot 
use the names that are in the scope of the receiver but not of 
the sender. In our specific example, after the synchronisation 
between the prefixes d{b) and a(x), b is substituted to x in 
Ai resulting in the term Aj^ = 6 (c) and Ao,Aj,A 2 and A 3 
become active. The scope of Ag can remain unchanged as 
it cannot know more names than before as a result of the 
communication. By contrast, Ai now knows 6 as a result of 
the substitution [ 6 /x]: Ai needs to migrate under the scope of 
6 . Since Ai uses c as well, the scope of c needs to be moved 
under 6 ; however A 2 uses c so it needs to migrate under 6 
with the scope of c. A 3 instead does not use neither 6 nor 
c so it can avoid migration and its scope remains unaltered. 
This information can be formalised using the tied-to relation: 
on one hand, Ai and A 2 need to be moved together because 
1 2 and they need to be moved because x <ia{x).A 1) 2. On 

the other hand, A 3 is not tied to neither Ai nor A 2 in A and 
does not know x, thus it is not migratable. After reduction, 
our view of the reactum is the term 

va.(yb.{Ao || vc.(Aj || A 2 )) || vd.A 3 ) 

the forest of which is T-compatible. Rule Par, applied to Ai 
and A 2 , ensures that c has a base type that can be nested under 
the one of 6 . Rule In does not impose constraints on the base 
types of A 3 because A 3 is not migratable. It does however 
check that the base type of e is an ancestor of the one of a, 
thus ensuring that both receiver and sender are already in the 
scope of e. The base type of a does not need to be further 
constrained since the fact that the synchronisation happened 
on it implies that both the receiver and the sender were already 
under its scope; this implies, by T-compatibility of P, that c 
can be nested under a. 

We now describe the purpose of the rules of the type system 
in more detail. Most of the rules just drive the derivation 
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Vz G I.r,X \-j- Ai Vi G I.Wx G X. X <ip i base(r(fn(Ai))) < base(ra;) 


r hr A 


Repl 


r hr ^ 


Par 


Vi € /. r hr Tt'i-Pi 


Tau 


a:ta[Tb]GT biTbGT F hr Q 


Choice 


Out 


F hr A* F hr t.A F hr cL(b).Q 

a ■■ ta[rx] G F F, x : r^; hr P base(T2;) < ta V (Vi G I. p(i) ^ base(F(fn(Ai) \ {a})) < to) 

Fhr a{x).vX.U.^jA, 

Figure 4. A type system for proving depth boundedness. The term P stands for wX. 


In 


through the structure of the term. The crucial constraints are 
checked by Par, In and Out. 

The Out rule is the one enforcing types to be consistent 
with the dataflow of the process: the type of the argument of a 
channel a must agree with the types of all the names that may 
be sent over a. This is a very coarse sound over-approximation 
of the dataflow; if necessary it could be refined using well- 
known techniques from the literature but a simple approach is 
sufficient here to type interesting processes. 

Rule Par is best understood imagining the normal form to 
be typed, P, as the continuation of a prefix tt.P. In this context 
a reduction exposes each of the active sequential subterms of 
P which need to have a place in a T-compatible forest for 
the reactum. The constraint in Par can be read as follows. A 
“new” leaf Ai may refer to names already present in the forests 
of the reaction context; these names are the ones mentioned 
in both fn(Ai) and F. Then we must be able to insert Ai so 
that we can And these names in its path. However, Ai must 
belong to a tree containing all the names In X that are tied to 
it in P. So by requiring every name tied to Ai to have a base 
type smaller than any name in the context that Ai may refer 
to, we make sure that we can insert the continuation in the 
forest of the context without violating T-compatibility. Note 
that F(fn(Ai)) contains only types that annotate names both In 
F and fn(Ai), that is, names which are not restricted by X and 
are referenced by Ai (and therefore come from the context). 

Rule In serves two purposes: on the one hand it requires 
the type of the messages that can be sent through a to be 
consistent with the use of the variable x which will be bound 
to the messages; on the other hand, it constrains the base types 
of a and x so that synchronisation can be performed without 
breaking T-compatibility. The second purpose is achieved by 
distinguishing two cases, represented by the two disjuncts of the 
condition on base types of the rule. In the first case the base type 
of the message is an ancestor of the base type of a in T. This 
implies that in any T-compatible forest representing a{x).P, 
the name b sent as message over a is already in the scope of 
P. Under this circumstance, there is no real migration and the 
substitution [b/x] does not alter the scope of P and the T- 
compatlbllity constraints to be satisfied are in essence unaltered. 
The second case is more complicated as it involves migration. 
This case also requires a slightly non-standard feature: the 
premises predicate not only on the direct subcomponents of 


an input prefixed term, but also on the direct subcomponents 
of the continuation. This is needed to be able to separate the 
continuation in two parts: the one requiring migration and 
the one that does not. The non migratable sequential terms 
behave exactly as the case of the first disjunct: their scope 
is unaltered. The migratable ones instead are intended to be 
inserted as descendent of the node representing the message in 
the forest of the reaction context. For this to be valid without 
rearrangement of the forest of the context, we need all the 
names in the context that are referenced in the migratable terms, 
to be already In their scope; we make sure this is the case by 
requiring the free names of any migratable Ai that are from 
the context (l.e. In F) to have base types smaller than the base 
type of a. The set base(F(fn(Ai) \ {a})) Indeed represents the 
base types of the names in the reaction context referenced in 
a migratable continuation Ai. In fact a is a name that needs 
to be in the scope of both the sender and the receiver at the 
same time, so it needs to be a common ancestor of sender and 
receiver in any T-compatible forest. Any name in the reaction 
context and in the continuation of the receiver, with a base 
type smaller than the one of a, will be an ancestor of a —and 
hence of the sender, the receiver and the node representing the 
message—in any T-compatible forest. Clearly, remembering 
a is not harmful as It must be already in the scope of receiver 
and sender so we exclude it from the constraint. 

Example 8. Take the normal form in Example 1. Let us fix 
T to be the forest s a c a m -< d and annotate the normal 
form with the following types: s: Ts = s[rm], c:Tc = c[rm], 
m'.Tjn = m[d] and d : d. Let F = {(s : Ug), (c: Tc)}. We want to 
prove 0 Gj- vsc.P. We can apply rule Par: in this case there are 
no conditions on types because, being the environment empty, 
we have base(0(fn(A))) = 0 for every active sequential term 
A of P. The rule requires F Gj- S*, F Gj- C* and F Gj- M*, 
which can be proved by proving typability of S, C and M under 
F by rule Repl. To prove F Gj- S we apply rule In; we have 
s '■ s[Tm] G F and we need to prove that F, x : Gj- vd.x{d). 

No constraints on base types are generated at this step since 
the migratable sequential term vd.x{d) does not contain free 
variables typed by F making F(fn(V(i.x(d)) \ {a}) = F({x}) 
empty. Next, F, x : Gj- vd.x{d) can be proved by applying 

rule Par which amounts to checking F, x : Gj- x{d).0 (by a 

simple application of Out and the axiom F, x: Gj- 0) and 








verifying the condition—true in T—base(Tm) < base(r(i): 
in fact d is tied to x{d) and, for F' = F U {a;: r^}, 
base(F'(fn(x(d)))) = base(F'({a;, d})) = base({Tr„}). The 
proof for F \~j- M is similar and requires c < m which 
is true in T. Finally, we can proof F \-j- C using rule In; 
both the two continuation Ai — s{m) and A2 = m{y).c{m) 
are migratable in C and since base(Tm) < base(Tc) is 
false we need the other disjunct of the condition to be 
true. This amounts to check that base(F(fn(Ai) \ {c})) = 
base(F({s, m})) = base({rs}) < c (note m ^ dom(F)) and 
base(F(fn(Aa) \ {c})) = base(F(0)) < c (that holds trivially). 
Fortunately, this is the case in T- To complete the typing we 
need to show V,m:Tm \~t ^1 F,m:Tm \~t ^ 2 - The 
former can be proved by a simple application of Out which 
does not impose further constraints on T- The latter is proved 
by applying In which requires base(rc) < m, which holds in 
T- Note how, at every step, there is only one rule that applies 
to each subproof 

Example 9. There is no choice for (a hnite) T that would make 
the normal form in Example 2 typeable. To see why, one can 
build the proof tree without assumptions on T obtaining that: 

1 ) the restrictions must be annotated with types consistent 
with the type assignments 

s: fs [f] v:tv[t] n:tn[t] a:t b:t 

2 ) T must satisfy the constraint that the base type assigned 
to b must be strictly greater than the one assigned to x, 
which is inconsistent with s :ts[t],b:t. 

A. Soundness 

In this section we show how the type system can be used to 
prove depth-boundedness. Theorem 1 will show how typability 
is preserved by reduction. Theorem 2 establishes the main 
property of the type system: if a term is typable then T- 
shapedness is invariant under reduction. This allows us to 
conclude that if a term is T-shaped and typable, then every 
term reachable from it will be T-shaped and, therefore, it is 
depth-bounded. 

We start with some simple properties of the type system. 

Lemma 7. Let P G P^ and F, F' be type environments. 

a) if r \~j- P then fn(T) C dom(F); 

b) if dom(F') n bn(T) = 0 and fn(T) C dom(F), then 
F I-7- P if and only if FF' I-7- P; 

c) if P = P' G then, F (- 7 - P if and only if F \~j- P'. 

The subtitution lemma states that substituting names without 
altering the types preserves typability. 

Lemma 8 (Substitution). Let P G P^ and T be a typing 
environment including the type assignments a : r and b : r. Then 
it holds that if T \-j- P then F I-7- P[b/a]. 

Proof We prove the lemma by induction on the structure of 
P. The base case is when P = 0, where the claim trivially 
holds. 

For the indnction step, let P = yX.Yl^^jAi with Ai — 
for some hnite sets of indexes / and J. Since 


the presence of replication does not affect the typing proof, 
we can safely ignore that case as it follows the same argument. 
Let us assume F I- 7 - P and prove that F I- 7 - P[b/a]. 

Let F' be F U X. From F I- 7 - P we have 

r,XPrA, ( 1 ) 

x<pi base(F(fn(Ai))) < base(T 2 ;) (2) 

for each i G I and x-.t^ G X.To extract from this assumptions 
a proof for F I- 7 - P[ 6 /a], we need to prove that (1) and (2) 
hold after the substitution. 

Since the substitution does not apply to names in X and the 
tied to relation is only concerned with names in X, the only 
relevant effect of the substitution is modifying the set fn(yli) to 
bi[Ai[b/a]) = fn(Ai)\{ 0 }U{ 6 } when a G fn(^i); But since 
F(a) = F( 6 ) by hypothesis, we have base(F(fn(Ai[ 6 /a]))) < 
base(ra;). 

It remains to prove (1) holds after the substitution as well. 
This amounts to prove for each j G J that F' I- 7 - itij.Pij 
F' I- 7 - TTij.Pij[b/a]', we prove this by cases. 

Suppose TTij = a{f3) for two names a and /3, then from 
F' I- 7 - TTij.Pij we know the following 

a:f„NGF' p-.TpGT' (3) 

r' hr Py (4) 

Condition (3) is preserved after the substitution because it 
involves only types so, even if a or /3 are a, their types will 
be left untouched after they get substituted with b from the 
hypothesis that F(a) = F( 6 ). Condition (4) implies F' 1 - 7 - 
Pij[b/a] by inductive hypothesis. 

Suppose now that tt ^ = a{x) and Pij = for 

some hnite set of indexes K\ by hypothesis we have: 

a:ta[Tf\GT' (5) 

F',x:ra; hr Pjj ( 6 ) 

base(r2;) < taV 

Vfc e K. Mig^^^. (fc) ^ base(F'(fn(A;) \ {a})) < 

(7) 

Now X and Y are bound names so they are not altered by 
substitutions. The substitution [b/a] can therefore only be 
affecting the truth of these conditions when a = a or when 
a G fn(hlj,) \ (T U {a;}). Since we know a and b are assigned 
the same type by F and F C F', condition (5) still holds when 
substituting a for b. Condition ( 6 ) holds by inductive hypotesis. 
The hrst disjunct of condition (7) depends only on types, which 
are not changed by the substitution, so it holds after applying 
it if and only if it holds before the application. To see that the 
second disjunct also holds after the substitution we observe that 
the migratable condition depends on x and fn(Aj,) H Y which 
are preserved by the substitution; moreover, if a G fn(Aj.)\{a} 
then r(fn(A;) \ {a}) = V{HA'^[b/ a]) \ {a}). 

This shows that the premises needed to derive F', x : rj, hr 
TTij.Pijlb/a] are implied by our hypothesis, which completes 
the proof. □ 
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Before we state the main theorem, we define the notion 
of P-safe type environment, which is a simple restriction on 
the types that can be assigned to names that are free at the 
top-level of a term. 

Definition 6. A type environment F is said to be P-safe if for 
each X S fn(P) and G bni,(P), base(r(a:)) < base(r). 

Theorem 1 (Subject Reduction). Let P and Q be two terms 
in and T be a P-safe type environment. If F \-j- P and 
P ^ Q, then F \~j- Q. 

Proof. We will only prove the result for the case when P ^ Q 
is caused by a synchronising send and receive action since the r 
action case is similar and simpler. From P ^ Q wt know that 
P = vW.iS II P II C) e Pj with S = id{b).yYs.S') + M, 
and R = {a{x).vYr.R') + Mr the synchronising sender and 
receiver respectively; Q = vWYsYr.{S' || R'[b/x] || C). In 
what follows, let W = WYgYr, C = Il/iGrrC'/j, S' — 
and R' = Wj^jR'j, all normal forms. 

For annotated terms, the type system is syntax directed: 
there can be only one proof derivation for each typable term. 
By Lemma 7.c, from the hypothesis F \-j- P we can deduce 
F \-j- vW.(S' 11 R II C). The proof derivation for this typing 
judgment can only be of the following shape: 


rw hr s FFF hr p Vh G H. FW hr Ch 
FhrvFF.(5'|| P|| C) 

where T* represents the rest of the conditions of the Par mle.^ 
The fact that P is typable implies that each of these premises 
must be provable. The derivation proving F, W hr S must be 
of the form 

a:ta[Tb]GFW b-.nGFW FfLhrvFs.P' 

FFF hr d{b).vYs.S' T-m. 

FFrd{b).vYs.S'+ M, 


where FW hr vYg.S' is proved by an inference of the shape 

Vi G I. FWY, hr S', Vi G I. '^s' 

- —^( 10 ) 

FWFrvYs.S' 


Analogously, FW hr P must be proved by an inference 
with the following shape 

a: fair.] G TW FW, x : r. hr vF^.P' T-r- 

FfL hr a(a:).vi;.P' T-m 

-—LV-- 'Yi. (11) 

FWFTa{x).vYr.R!+ Mr 


and to prove FW, x : r. hr vYr.R' 

Vj G J. FIL, a:: T., y. hr P' Vj G J. 
_^ 

FW,x:T,r vFr-P' 


( 12 ) 


We have to show that from this hypothesis we can infer 
that F hr Q or, equivalently (by Lemma 7.c), that F hr Q' 


^Note that tl/ is trivially true by P-safety of F. 


where Q' = vWYgYr.(S' || R'[b/x] || C). The derivation of 
this judgment can only end with an application of Par: 

Vi G /. FW' hr S'i 

Vj G J. FW' hr R'j [ b/x ] When. FW' hr Ch 
F hrvW'.{S' II R'[b/x] II C) 

In what follows we show how we can infer these premises are 
provable as a consequence of the provability of the premises 
of the proof of F hr vW.(S || P || C). 

From Lemma 7.b and Name Uniqueness, FWYg hr S'^ 
from (10) implies FW' hr S'] for each i G /. 

Let Fj. = FW,x'.Tx. We observe that by (9) and (11), 
Tx = Xb. From (11) we know that F^-lj. hr R'j which, by 
Lemma 8, implies Fj.kj. hr R'j[b/x]. By Lemma 7.b we 
can infer FrYrYg hr R'j\b/x] and by applying the same 
lemma again using fn(P'[6/a;]) C dom(FkFFrFs) and Name 
Uniqueness we obtain FW' hr R'j\b/x]. 

Again applying Lemma 7.b and Name Uniqueness, we have 
that FW hr Ch implies FW' hr Ch for each h € H. 

To complete the proof we only need to prove that for each 
A G {5' I z G /} U {P' I / G J} U {C„ I 6 G H}, = 

V(x:t.) G FF'. X tied to a in Q' base(F(fn(A))) < 

base(T.) holds. This is trivially true by the hypothesis that F 
is P-safe. □ 

Theorem 2 (Invariance of T-shapedness). Let P and Q be 
terms in P^ such that P ^ Q and F be a P-safe environment 
such that F hr P- Then, if P is T-shaped then Q is T-shaped. 

Proof. We will consider the input output synchronisation case 
as the T action one is similar and simpler. We will further 
assume that the sending action d{b) is such that v{a:Ta) and 
v(6:Tt,) are both active restrictions of P, i.e. {a'.To) G W, 
(b'.Tb) G W with P = vFF.(S' || P || C). The case when any 
of these two names is a free name of P can be easily handled 
with the aid of the assumption that F is P-safe. 

As in the proof of Theorem 1, the derivation of F hr P 
must follow the shape of (8). 

From T-shapedness of P we can conclude that both vYg.S' 
and vYr.R' are T-shaped. We note that substitutions do not 
affect T-compatibility since they do not alter the set of bound 
names and their type annotations. Therefore, we can infer 
that vYr.R'[b/a] is T-shaped. By Lemma 5 we know that 
P = $(vlU.(S' II P II C)) G T[P1, Pr = ^{vYr.R'[b/a]) G 
T|vT-P'[6/a;]l andv?s = $(vT.T) G T|vFs.T]. Let = 
h’mig W <h^mig where only ^Pmig contains a leaf labelled with 
a term with 6 as a free name. These leaves will correspond 
to the continuations P' that migrate in a{x).vYr.R', after the 
application of the substitution \b/x]. By assumption, inside P 
both S and P are in the scope of the restriction bounding a 
and S must also be in the scope of the restriction bounding 
6. Let ta = base(TQ) and tb = base(Tb), p will contain two 
leaves ns and nr labelled with S and P respectively, having 
a common ancestor ria labelled with {a, to)', ns will have an 
ancestor nb labelled with {b,tb). Let pa, ps and pr be the 
paths in p leading from a root to na, ns and nr respectively. 
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By T-compatibility of ip, we are left with only two possible 
cases: either 1) ta < h or 2) th < ta- 

Let us consider case 1) first. The tree in ip to which the 
nodes ns and nn belong, would have the following shape: 



Now, we want to transform p, by manipulating this tree, into 
a forest p' that is T-compatible by construction and such that 
there exists a term Q' = Q with forest((5') = p' , so that we 
can conclude Q is T-shaped. 

To do so, we introduce the following function, taking a 
labelled forest p, a path p m p and a labelled forest p and 
returning a labelled forest: 

ins(v?, p, p) ■■= (N^ \ii <p\i} Ip l±) £p) 

where n ^ins n' if n' € min^^ (iVp), lp(n!) = iy,ty) and 
n S max^^ {m G p \ ip{ni) = {x,tx),tx < ty}. Note that for 
each n', since p is a path, there can be at most one n such 
that n ^ins n'. 

To obtain the desired p' , we first need to remove the leaves 
ns and ur from p, as they represent the sequential processes 
which reacted, obtaining a forest pc- We argue that the p' we 
need is indeed 

p' = ins((pi,ps,(pi„ig) 

Pi = ins(p2,Pit,‘P^mig) 

P 2 = ins(pc,PS,‘Ps) 

It is easy to see that, by definition of ins, p' is T-compatible: 
Pc, Ps, <P^mig and <pmig are T-compatible by hypothesis, ins 
adds parent-edges only when they do not break T-compatibility. 

To prove the claim we need to show that p' is the forest of 
a term congruent to vWYsYj..{S' || R'[h/x] || C). Let R' = 
Tnig ~ {j ^ J \ X <i\/Y^.R' j}, Tmig — J \ Tnig 
and F/ = {{x'.t) GY^ \ x G fn(i?'),j G J^mig}- We know 
that no R'j with j G J^mig can contain a; as a free name 
so R'j\b/x] = R'y Now suppose we are able to prove that 
conditions 1, 2 and 3 of Lemma 1 hold for pc, Pi, P 2 and 
p' . Then we could use Lemma 1 to prove 

a) PC = forest((5c'), Qc = Qvc = vlT.C, 

b) p2 = forest((52), Q 2 = <3^2 = vkLFi.(S" || C), 

c) Pi = forest(Qi), Qi = Qp^ = vWYsY^.{S' || 

II 

d) p' = iorest{Q'), Q' = = vWYsYr.{S' || R'[b/x] || 

C) = Q 

(it is straightforward to check that pc, P2,‘Pi and p' have the 
right sets of nodes and labels to give rise to the right terms). 
We then proceed to check for each of the forests above that 
they satisfy conditions 1, 2 and 3, thus proving the theorem. 

Condition 1 requires that only leafs are labelled with 
sequential processes, condition that is easily satisfied by all 


of the above forests since none of the operations involved in 
their definition alters this property and the forests p, ps and 
Pr satisfy it by construction. 

Similarly, since vlT.(S' || R || C) is a normal form it satisfies 
Name Uniqueness, 2 is satisfied as we never use the same 
name more than once. 

Condition 3 holds on p and hence it holds on pc since the 
latter contains all the nodes of p labelled with names. 

Now consider ps'- in the proof of Theorem 1 we established 
that r I- 7 - P implies that the premises T' 5 ' from (10) hold, that 
is base(rkU(fn(S'-))) < base(T 2 ,) holds for all S[ for i G / and 
all (x : Tx) G Fg such that a:<3vy,.s'L Since fn(S'-)nlF C ^(5") 
we know that every name (w.Tw) G W such that w G fn(S[) 
will appear as a label (w, base(Tu,)) of a node in ps- 
Therefore, by definition of ins, we have that for each n G 
n-w <(p 2 ill other words, in p 2 , every leaf in labelled 
with S[ is a descendent of a node labelled with (ly,base(ru,)) 
for each {w : r^,) G W with w G fn(S''). This verifies condition 
3 on p 2 - 

Similarly, by (12) the following premise must hold: 
base(riF(fn(T'))) < base(rx) for all ii' for j G J and 
all {y.Ty) G Yr such that y <vYr.Ji' j- We can then apply the 
same argument we applied to p 2 to show that condition 3 
holds on (/?!. 

From (11) and the assumption ta < h, we can conclude that 
the following premise must hold: base(nF(fn(i?' ) \ {a})) < 
ta for each j G J such that i?' is migratable in a{x).vYr.R', 
i.e j G Tnig- From this we can conclude that for every name 
(w:Tw) G W such that w G fn{R'j[b/x]) with j G Jmig 
there must be a node in pa (and hence in ps) labelled 
with (w, base(Tiu)). Now, some of the leaves in Praig will 
be labelled with terms having 6 as a free name; we show 
that in fact every node in p-mig labelled with a {y,ty) is 
indeed such that ty < tb- From the proof of Theorem 1 and 
Lemma 8 we know that from the hypothesis we can infer that 
FIF hy vYr.R'[b/x] and hence that for each j G Jmig and 
each {y.Ty) G Yr, if y is tied to T' [ 6 /x] in vYr.R'[b/x] then 
base(riF(i?'[ 6 /a:])) < base(ry). By Lemma 6 we know that 
every root of :/ 5 mig is labelled with a name {y, ty) which is tied 
to each of the leaves in its tree. Therefore each such ty satisfies 
base(riF(i?'[ 6 /a:])) < ty. By construction, there exists at 
least one j G Jmig such that x G fn(R)) and consequently such 
that 6 G fn(i?'[ 6 /x ]). From this and 6 G IF we can conclude 
tb < ty for ty labelling a root in Pmig- We can then conclude 
that {ub} = {m G ps \ = {z,tz),t:^ < ty} for 

each ty labelling a root of ^Jmig, which means that each tree of 
‘fmig is placed as a subtree of Ub in p'. This verifies condition 3 
for p' completing the proof. 

Pictorially, the tree containing ns and nR in p is now 
transformed in the following tree in p': 
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A G <Ps 

▲ G <Pmig 

A G (p^inig 


Case 2) — where tb < ta — is simpler as the migrating 
continuations can be treated just as the non-migrating ones. 

□ 

To illustrate the role of ipmig, and the ins operation 

in the above proof, we show an example that would not be 
typable if we choose a simpler “migration” transformation. 

Example 10. Consider the normal form P = 'Vabc.{A* || a(c)) 
where A = a{x)yd.{a{d) || b{x)). To make types consistent 
we need annotations satisfying a:ta[t], b:tb[t], c:t and d: t. 
Any T satisfying the constraints tb <ta<t would allow us 
to prove 0 \-j- P\ let then T be the forest with b ^ a ^ t with 
ta = 3, tb = h and t = t. Let P' = vabcd.{A* |j a{d) || 5(c)) 
be the (only) successor of P. The following picture shows 
$(P) in the middle, on the left a forest in P|Pl extracted 
by just putting the continuation of A under the message, on 
the right the forest obtained by using ins on the non-migrating 
continuations of A: 

b 

A* c 
b{c) d{d) 

Clearly, the tree on the left is not T-compatible since c and d 
have the same base type t. Instead, the tree on the right can 
be obtained because ins inserts the non-migrating continuation 
as close to the root as possible. 

Definition 7 (Typably Hierarchical term). A normal form P 
is typably hierarchical if P is T-shaped and T \-j- P for some 
finite forest T and P-safe environment T. A general 7r-term 
P is typably hierarchical if its normal form nf(P) is. 

Theorem 3 (Depth-boundedness). Every typably hierarchical 
term is depth-bounded. 

Proof. By Theorem 1 and Theorem 2 every term reachable 
from a typably hierarchical term P is T-shaped. Then by 
Proposition 1 P is depth-bounded. □ 

B. Type inference 

In this section we will show that it is possible to take any 
non-annotated normal form P and derive a forest T and an 
annotated normal form for P that can be typed under T. 

It is straightforward to see that inference is decidable: if a 
forest of base types can be found so that the typing derivation 
for P is successful, there exists a T with at most |bn(P)| nodes 
and a P-safe environment T with dom(r) = fn(P), such that 
r \-j- P and P is T -shaped. Therefore, a naiVe algorithm could 


b 

a 


A* 


c 

i{c) 


b{c) a{d) 


enumerate all such forests—there are finitely many—and type 
check P against each. However a better algorithm is possible. 

We start by annotating the term with type variables: each 
name x gets typed with a type variable i^. Then we start the 
type derivation, collecting all the constraints on types along 
the way. If we can find a T and type expressions to associate 
to each type variable, so that these constraints are satisfied, the 
process can be typed under T. 

The constraints have two forms: 

1) T = ta\iy\ where tx is a base type variable; 

2) base(ta:) < base(tj,) which correspond to constraints over 
the corresponding base type variables, i.e. tx ty. 

Note that the P-safe condition on T translates to constraints 
of the second kind. The first kind of constraints can be 
solved using unification. If no solution exists, the process 
cannot be typed. This is the case of processes that cannot be 
simply typed [17]. If unification is successful we get a set of 
equations where the unknowns are the base type variables. Any 
assignment of those variables to nodes in a suitable forest that 
satisfies the constraints of the second kind would be a witness 
of typability. 

We have at most n base type variables where n is the number 
of names occnrring in P. There are at most 
independent constraints of the form which can be 

treated as uninterpreted propositions. By inspecting rules Par 
and In we observe that all the “tied-to” and “migratable” 
predicates do not depend on T so for any given P, the 
conjunction of constraints on base types generated in the 
proof derivation forms a 2-CNF formula with O(n^) boolean 
variables. Since 2-CNF satisfiability is linear in the number 
of variables [1], we obtain a O(n^) bound on satisfiability of 
the base type constraints. Once we prove satisfiability of these 
constraints, to prove P is typably hierarchical, it remains to 
prove that there exists a model T of the constraints so that 
P is T-shaped. If a precise bound on the depth is needed, 
one can perform a search for the shallowest forest which is a 
model of the base type constraints such that P is T-shaped. 
Otherwise, the search can be restricted to total orders. 

V. Equivalence with NDCMA 

After isolating a fragment of a process calculus, an interesting 
question is can we find an automata based presentation of 
the same fragment? In this section we give an answer to this 
question by relating the typably hierarchical fragment to a class 
of automata on data-words recently defined in [3]: Nested Data 
Class Memory Automata (NDCMA). 

The original presentation of NDCMAs sees them as language 
recognition devices: they can recognise sets of data-words, 
that is sequences of symbols in E x T where E is a finite 
alphabet and D is an infinite set of data values. Notably, 
(weak) NDCMAs are more expressive than Petri nets, while 
enjoying decidability of some verification problems. While 
Class Memory Automata [2] do not postulate any structure 
on D, NDCMAs assume that it is equipped with an infinitely 
branching, finite height forest structure. We will make use of 
this forest stracture to represent T-compatible 7r-term forests. 
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We are primarily interested in establishing a tight relation 
between the transition systems of NDCMAs and typably 
hierarchical terms. Therefore we do not regard NDCMAs as 
language recognisation devices but simply as computational 
models. For this reason, our dehnition ignores the language- 
related components of the original dehnition of [3]; there is 
no hnite alphabet S, no accepting control states, no accepting 
run. While in the language-theoretic formulation at each step 
in a mn a letter and a data value must be read from the input 
string, here a transition can hre simply if there exists a data 
value satisfying the transition’s precondition. 

Definition 8 (NDCMA [3]). We dehne a nested dataset 
(Djpredx)) to be a forest of inhnitely many trees of level 
f which is full in the sense that for each data value d of level 
less than I, there are inhnitely many data values d! whose 
parent is d. 

A class memory function is a function f: V —t A\±l {f} such 
that f{d) = f for all but hnitely many d G D; f is a special 
symbol indicating a data value is fresh, i.e. has never been 
used before. 

Fix a nested data set of level £. A Nested Data CMA of level I 
is a tuple (Q, d, qo, fo) where Q is a hnite set of states, go € Q 
is the initial control state, /o: D —> Qf is the initial class 
memory function satisfying /o(pred((i)) = f /o(d) = 
and S is the transition relation. S is given by a union 6 = 
Ui=i where each 6 i is a relation: 6 i C Q x (Qf)* x Q x 
Q® and Qf is dehned as Q U {f}. A conhguration is a pair 
(d; /) where g G Q, and f: D Qj is a class memory 
function. The initial conhguration is (go,/o)- The automaton 
can transition from conhguration (g, /) to conhguration (g', /'), 
written (g, /) —(g', /'), just if there exists a level-i data 
value d such that (g, gi,..., g^, g', gj,..., g-) G 6 , for all j G 
i}, /(pred®"-^(d)) = gj and 

f = /[pred®"^(d) gj, ..., pred(d) i-G g'_i, d g-]. 

Given a nested dataset V we write CMF(I?, Q) for the set 
of all class memory functions from D to Qp 

We want to show that, in some strong sense, NDCMAs 
are equi-expressive to typably hierarchical 7r-terms. First we 
show an encoding from typeable 7r-terms, then we prove that 
a transition system generated from the NDCMA encoding is 
bisimilar to the transition system generated by the reduction 
semantics of the 7r-term. This result is quite strong in that it 
implies the equivalence of many decision problems of the two 
formalisms. It also offers a bridge between inhnite-alphabet 
automata and decidable fragments of 7r-calculus. 

A. Encoding Typably Hierarchical terms into NDCMA 

We make a few simplifying assumptions on the term to 
be encoded as an NDCMA. First, we assume P is a closed 
normal form, i.e. fn(P) = 0, second we assume P contains 
no T action. It would be easy to support the general case but 
we only focus on the core case for conciseness. Fix a closed 
T-shaped 7r-term P such that 0 \-j- P, with £ = height (T). 
We will construct a level-£ automaton -4|T] from P so that 
their transition systems are essentially bisimilar. 


The intuition behind the encoding is as follows. A config¬ 
uration (g, /) represents a 7r-term P by using / to label a 
finite portion of V so that it is isomorphic to a T -compatible 
forest in T|T]. Our encoding proceeds in rounds. A single 
synchronisation step between two processes will be simulated 
by a predictable number of steps of the automaton. Since tt- 
terms exhibit non-determinism, the automata in the image of the 
encoding need to be non-deterministic as well. We make use of 
the non-determinism of the automata model in a second way: in 
a reduction, the two synchronising processes are not in the same 
path in the syntax tree (they are both leaves by construction) 
but the automaton can only examine one path in T at a time; 
we then first guess the sender, mark the channel carrying its 
message, then select a receiver waiting on that channel (which 
will be in the path of both processes) and then spawn their 
continuations in the relevant places. This requires separate 
steps and could lead to spurious deadlocks when no process is 
listening over the selected channel. These deadlocked states 
can be pmned from the bisimulation by restricting the relevant 
transition system to those configurations where the control 
state is a distinguished state that signals that the intermediate 
steps of a synchronisation have been completed. A successful 
round follows very closely the operations used in the proof of 
Theorem 2. 

A round starts from a configuration with control state gready, 
then goes trough a number of intermediate steps until it either 
deadlocks or reaches another configuration with control state 
gieady Only reachable configurations of xf|P] with gready as 
control state will correspond to reachable terms of P. Thus, 
given an automaton A = (Q, (5, gready,/ o)j we define the 
transition relation (^ready) C CMF(I?,Q)^ as the minimal 
relation such that / ^ready /' if (gready,/) ^.4 idljl) ^.4 
• • • ^.4 (gn,/rr) ^,4 (gready,/') where in the possibly empty 
sequence of (g^, T), qi T gready- 

To encode a reachable term Q in a configuration (gready, /) 
we use / to represent the forest $((3): roughly speaking we 
represent a node n of <i>((3) labelled with I with a data value 
d mapped to a qi by /. Since in general, due to the generation 
of unboundedly many names, there might be infinitely many 
such labels I we need to show that we can indeed use only a 
finite number of distinct labels to be able to represent them 
with control states. This is achieved by using the concept of 
derivatives. The set of derivatives of a term P is the set of 
sequential subterms of P, both active or not active. More 
formally, it is the set defined by the following function 


der(O) 


deifwx.P) 


der(P) 


der(P II Q) 
der(M*) 
der(M -|- M') 


— der(P) U der((3) 

= {M*}Uder(M) 

= {M + M'} U der(M) U der(M') 


der(7r.P) 


{tt.P} U der(P) 


Clearly, der(P) is a finite set. Every active sequential subterm 
of a term P' reachable from P is congment to a Qa for some 
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substitution a. When P is depth-bounded, we know from [8] 
that, there is a finite set of substitutions such that the substitu¬ 
tion cr above can always be drawn from this set. The assumption 
that P is T-shaped and typable allows us to be even more spe¬ 
cific. Let Xj- = {xt I t G T} be a finite set of names, we define 
Ap := {Qa | Q G der(P),cr: fn(Q) (Xp U fn(P))}. 

Lemma 9. Let P be a term such that forest(P) is T- 
compatible. Then there exists a term Q such that forest((3) is 
T-compatible, Q is an a-renaming of P, hii,y{Q) C Xj- and 
each active sequential subterm of Q is in Ap. 

Proof By definition of T-compatible forest we have that in 
any path of forest(P) no two distinct nodes will have labels 
{x,f) {x',f) so a-renaming each restriction {x:t) of P' to 
(Xbase(T) : t) will yield the desired Q. □ 

Henceforth, we will write <1>'(P) for a relabelling of the 
forest <h(P) such that its labels use only names in Xp, as 
justified by Lemma 9. 

Corollary 1. If a term P is typably hierarchical, then every 
P' G Reach(P) is congruent to a term Q such that hii^{Q) C 
Xp and each active sequential subterm of Q is in Ap. 

Proof By Theorem 2 and Lemma 9. □ 

The transition relation of the automaton encoding of a term 
P is then derived from the set Ap. 

Before we show how to construct the transitions of the 
automaton from the term, we define a relation ^ between terms 
and class memory functions. This relation formalises how we 
encode the term as a labelling of data values, and will have a 
crucial role in proving the soundness of the encoding. Let Q be 
a term reachable from P and ((/leadyi/) be a configuration of 
an automaton A. Let p = $'((5), the relation Q ^ f holds if 
and only if there exists an injective function t: nodes(:p) —> V 
such that for all n G nodesjt/j): 

i) if i(n) = d, n' n and i{n') = d' then d' = pred(d); 

ii) if n is labelled with (xiA) then /(t(n)) = xT 

iii) if n is labelled with a sequential process Q' then 
/(t(n)) = Q'; 

iv) for each d such that f{d) f f either there is an n such 
that tin) = d or /(d) = qp 

Let us now describe how we can simulate reduction steps of 
a TT-term with transitions in a NDCMA. In encoding a tt- term’s 
semantics into the transition relation of a NDCMA, we need to 
overcome the differences in the primitive steps allowed in the 
two models. Simulating a 7r-calculus synchronisation requires 
matching two paths, leading to the two reacting sequential 
terms, in V at the same time. A step in the automata semantics 
can only manipulate a single path, so we will need to split 
the detection of a redex in two phases: finding the sender, 
then finding a matching receiver. Moreover, finding a redex 
requires detecting that the path under consideration contains 
a node labelled with the synchronising channel and one with 
the appropriate sequential term, ignoring how many and which 
other nodes are in between them. To succinctly represent 


this operation, we introduce the following notation. Fix a set 
Q including q,q',li,..., In, l[,..., I'n, I- We associate to the 
expression [q, li .. .In] —t [q', l[ ... I'n] the set of transitions 

tranQ([q, li...ln]^ [q', l[ ... Q) ■= 

{{q,qi,.. .,qm,q',q'i, ...,q'm)& ]3ii...im. 

I <ii < ■■ ■ <in <m,qi. = lj,q',. = }. 

When the sequence li,... ,ln is empty, the expression simply 
means that the automaton may go from a configuration {q, f) 
to {q', /) with no condition (nor effect) on /. Similarly, we 
associate to the expression [q, f] -G [q', l[ ... 1'^, 1] the 

set of transitions 

tranQ([q, k ... In, f] [q', () ... I'n, 1]) ■= 

{{q,qi,...,qm,f,q\q[,...,q'm,l) G 

1 <ii < ■■ ■ <in = m,qi. = f,q'^. =1]]- 

Note that the sequence may be empty, in 

which case the data value labelled with f is selected 
among the level-1 ones. The set of states mentioned in 
an expression is states([g, ... („] —>■ [q',1'^.. .l'n\) '■= 

{q,q',li,...,ln,l'i,---,l'n} and states([q, f] 

[q',l'^...l'n,l]) ■= {q,q',l,h,...,ln,l'p...,l'n}- 

To define the transitions of the encoding of a term, we make 
use of some auxiliary definitions generating sets of transition 
expressions. 

SET'UP{q,q',l,p) adds to the path leading to a data value 
labelled with I, the nodes corresponding to a forest p G T|(5] 
for some Q. These transitions are deterministic in the sense 
that a configuration {q, f) with only one data value labelled 
with I will transition through all the transitions dictated 
by SET\JP{q,q',1,1',p) reaching {q',f'). Formally, suppose, 
for some j and k, p = {{xi,Ti)[pi],... ,{xj,Tj)[pj]} U 
{QiW, ■ ■ ■ ,Qk[]} where all Xi are in Xp and all Qi G Ap. 
Then Setup is defined as follows: 

SETUP{q,q',l,l',p) := [gi, 

U {[qi, 1; f] ^ Q7+i] I 1 < * < j} 

u {[q'iJA] -t [q'/A'^xf] ]i<i<k} 

k 

U [jSETVP{q'',q',ppxf,Xi,p,) 
u\[q',^pl]^[q',l']} 

where for all 1 < i < / and all 1 < i' < k, qi,q'^,,q'I,,q'^j^^ 
are fresh intermediate control states, in the sense that they are 
only mentioned in the transitions generated by that specific 
application of Setup. We allow I to be the empty sequence, 
in which case I' needs to be the empty sequence as well. 

Similarly, we define SPAWN{q,q',1,1',p) to be the set of 
transitions needed to append each tree in p to nodes in the path 
leading to a data value d labelled with (; the operation starts 
at control state q and ends at control state q' with the label for 
d updated to L. Each tree is appended to the node with the 
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Figure 5. A schema of the transitions simulating a synchronisation in the automaton encoding of a term. The trees represent the class memory functions 
associated with configurations in the run of the automaton. The run simulates a sender synchronising with a replicated receiver. The two displayed nodes in the 
path leading to S are the ones labelled with the names of, from top to bottom, the synchronisation channel and the exchanged message. 


lowest level such that every name mentioned in its leaves is an 
ancestor of such node. Since a single transition can add only 
one node of ip, we need a number of transitions to complete the 
operation; these transitions will however be deterministic in the 
same sense as the ones required to complete a Setup operation. 
Formally, let the forest p = $'(£>) consist of trees 61 ,... ,9k, 
for a term D G Ap. We can precompute, for each 9i, the 
base type U := min..<.^ {t \ Xt & in{A),n G Ng.,i 0 ^{n) = A} 
when defined. For each label Xt € we also have a label 
Xt we write x(6'i) (resp. x"'’(6'*)) for Xu (resp. Xtp when U is 
defined, or the empty sequence when ti is undefined (e.g. when 
9i does not have free variables). Then SPAWN(g, q', Z,/', (/?) is 
the set of transition expressions defined as follows: 

SVA'N^{qQ,q',1,1',p) := 
k 

U U SETUP(q'_i,q„x'’’(0*),x(^*),6’*) 

i=l 

where for all 1 < h < fc, q/i, are fresh. 

We define for each D G Ap the set of transition expressions 
React(Z?) representing the steps needed to simulate in the 
automaton the potential reactions of D. 

React(M) := React^(M) 

React(M*) := ReactJ^!(M) 

The set of transition expressions React^ (M) collects all the 
potential reactions of M as a choice of D; the label q is the 
one that should be associated with the “consumed” term D 
after a reaction has been completed. The transitions simulating 
a replicated component will not mark, as the ones for non 
replicated terms, the reacted term with q^, which will represent 
“garbage” inert nodes in /. The term 0 cannot initiate any step 
and a choice may do any action that one of its choices can: 

React^(O) := 0 

React^(M + M') := React^(M) U React^(M') 

Any sender can initiate a synchronisation from the ready state: 
React^(^(xp).C') := 

{[fteady, XiXt'-D] [?', \ t < t'} 

u {[qr..6y,XUXtD] -G W, Xu^xf"'O'""] \ * > t'} 

U SPAWN(q', qsend, C"”', q, ^'{C)). 


where q' is fresh. Flere, the state qsend signals that we are in the 
middle of a synchronisation, where the sender is committed 
but a receiver has yet to be selected. 

For the case of an input prefix M = Xt{x).C we distinguish 
two cases: when the base type of xt is greater than the base type 
of X no migration occurs, otherwise part of the continuation 
needs to be spawned in the sender’s path. In the case when 
the base type of xt is greater than the base type of x, we set 

REACTf{xtix).C) := 

{[fend.xrxr'f^] ^ h.c,XtXt'C^n \t<t'GT} 
{hend,x7^x7''D] [9rec,Xt'XtC'‘'“] \ t > t' G T} 

U SPAWN(qrec, qi-eady, q, ^'(C'))- 

In the case when the base type of xt is greater than the base 
type of X, more transitions are required. First, we precompute 
for each M = Xt{x).C as above and t < t' G T, the two 
forests and such that ^'{C[xt'/x]) = 

l±) q5^niig(C) and contains all the nodes 

labelled with sequential terms tied to xu in C\xt7x\- As we 
have shown in the proof of Theorem 2, by virtue of Lemma 2, 
and p^mig{C) are indeed disjoint. Then we set: 

REACxf (xi(T).C) ;= 

{[qsend, xr^] ^ [9rec,XtC-^]} 

U SPAWN(q,-ec, q', , q, <^^mig(C')) 

u SETUP(q , qready, Xt' Xt', ¥’mig(C, f )) 
t'&T 

where q' is a fresh intermediate control state. Figure 5 
illustrates the steps the automaton performs when simulating a 
synchronisation. 

Definition 9 (Automaton encoding). The automaton encoding 
of a typably hierarchical term P is the NDCMA .A|P] = 
(Q, 5, qready, /) where Tr = U {React(D) I D G Ap}, Q = 
states(TR), 5 = tranQ(TR) and / is an arbitrary class memory 
function such that P ^ f. 

B. Soundness of the encoding 

In this section we will show that the transition system of the 
semantics of P is bisimilar to the one of A when restricting it 
to configurations with control state equal to qready 

A transition system is a tuple (S', —)•, s) where S is a set of 
configurations, (—)■) C (S x S) is the transition relation and s G 
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S is the initial state. Two transition systems (^i, —Si) and 
(<S' 2 , —> 2 , S 2 ) are said to be bisimilar if there exists a relation 
(~) ^ Si X S 2 such that si « S 2 and « is a bisimulation, that 
is, if s « f then: (A) for each s' G Si such that s —s' there 
is a t' € S2 such that t —>■2 t' and s' « f'; (B) for each f G S2 
such that t -^2 t' there is a s' G Si such that s —>^1 s' and 
s' ~ t' . Establishing that two transition systems are bisimilar 
implies that a wide class of properties are preserved across 
bisimilar states. For our purposes, proving that the automaton 
encoding of a term gives rise to a bisimilar transition system 
has the important consequence that reachability can be reduced 
from one model to the other. 

Theorem 4. The transition system (CMF(I?,Q), =>reflrfy, /o) 
induced by the automaton .A|P] = iQ,S,qreadyT fo) obtained 
from a closed typably hierarchical term P, is bisimilar 
to the transition system of the reduction semantics of P, 
(Reach(P), —>•, P). 

The result is proved by showing that the relation ^ defined 
above, is a bisimulation that relates the initial states of the two 
transition systems. By definition of .4|P] we have P ~ /g. 
Showing that ^ is indeed a bisimulation amounts to showing 
that if <5 / then: 

(A) for each Q' such that Q ^ Q' there is a /' such that 
/ ^ready f and Q' ~ /'; 

(B) for each /' such that / ^ready f there is a Q' such that 
Q ^ Q' and Q' ~ /'. 

To show this holds we rely on the hypothesis that Q ^ f to 
get a t relating ^'{Q) and /. The proof then closely follows 
the constructions in the proof of Theorem 2. If Q — Q' we 
can find two nodes ns and ur in $'((3) labelled with the 
sender and receiver processes responsible for the reduction; 
they will share an ancestor Ua labelled (xt, f) corresponding to 
the channel on which they are synchronising. On the automaton 
side, we have that ((/ready,/) matches the rule generated from 
the sender by selecting the data value ds = L{ns), a data 
value dt, corresponding to the name being sent and da = L{na)- 
This leads to (q'J) where /'(da) = xf", f{d,b) = x”"®, 
f'{ds) = From here only one of the transitions generated 

from Spawn of the continuation is enabled as there is only 
one node marked with ‘wait’. The transitions are deterministic 
from here until a configuration (gsend,/0 reached with /' 
representing the initial forest with the continuation of the sender 
added and with the node of the sender updated with either (/^ 
or the sender itself if it is a replicated component. At this point 
there is only one data value marked with ‘syn’ and the only 
transitions from (/send are the ones generated from a process that 
can receive from the marked channel. We can pick the rule that 
has been generated from the receiver involved in the reduction 
from Q to Q' and go to a configuration with control state 
(/rec- From this configuration the transitions are deterministic. 
The next configuration reached with control state (/ready is 
bisimilar to Q' by tracing the effects these transitions have 
on the class memory function. Fresh data values get assigned 
labels compatible with the non migrating continuations of the 


receiver first, and then the migrating ones as children of dt,; 
data values with meaningless labels get assigned the label (/^ 

To prove (B) we proceed similarly. Every reduction sequence 
from ((/ready, /) to ((/ready, f) uiust Start with a transition to 
a configuration with control state (/send, which is generated 
by rales extracted from a sender S labelling a data value ds; 
since Q ^ f we know that ns = L~"'{ds) is labelled with S 
in (i>'(Q), hence S is an active sequential process of Q. To 
complete this part of the proof we only need to follow the 
transitions of the automaton in the same way as done for the 
previous point, and note that the only way the automaton can 
reach a configuration with control state (/ready from ((/ready,/) 
is by selecting a receiver that can synchronise with the selected 
sender. This is important because there may be transitions 
from ((/ready, /) Corresponding to selecting a sender trying to 
synchronise on a channel on which no receiver is listening. 
This transition would lead to a deadlocked configuration (one 
with no successors) but never going through a configuration 
with control state (/ready 

C. Encoding of NDCMA into Typably Hierarchical terms 

In this section we sketch how an NDCMA can be encoded 
into a bisimilar typably hierarchical 7r-term. 

Similarly as the encoding in the opposite direction, the tt- 
calculus encoding of an automaton A will represent a reachable 
configuration (g, /) using the forest of a reachable term P. 
A term representing a reachable configuration may need to 
execute several steps before reaching another term representing 
a successor configuration. 

Fix an automaton (Q, i5, go, /o)- For simplicity we show the 
case where Vd. fo{d) = f, the general case follows the same 
scheme. First we note that every transition in 5i is of the form 





for some 1 < / < / where qk G Q for all 0 < A: < /. Instead 
of using the partition S = lJi=i re-partition the transition 
relation as 5 = Uj=o where 

i 

^3 ■= U {('^'0,9i ■ • ■ 9/,f,■ ■ ■_J, q'o,q'i---qi) & 

'' 1 ^ 

(fixing So = 0 for uniformity). We introduce a channel name c' 
for each q G Q and each level of the automaton i. Our encoding 
will show no mobility, so each such channel c will have type 
tc, hence no message will be exchanged on synchronisation; 
we abbreviate this kind of synchronisation with c.P and c.Q^ 
Let C' := {(c* :fa0 I 9 G Q}- Given a transition tr G Oj 
where tr = (go, gi... g^ f,..., f, q'o, g'l •.. g') we define the 

^It is easy to see that this can be accommodated in our syntax by assuming 
a global name r, typed with a type tr that is set to be the parent of each 
root in T; a synchronisation over a channel c: tc[tr] without exchanging a 
message is then represented by c(x).P and c{r).Q with x 0 fn{P). 
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term Atr to be 


Atr — C 


0 

Qo’ 


••• .d..vC^+^---vC\ 



ri 

k=j+l f 


where := Utree.i^tr)* and JlLi+i = 0. Note that 
these definitions are well-defined since they are not recursive. 
The TT-term encoding of the NDCMA A = (Q, 9oj/o) is 
then defined as V\A\ ■■=vC°.{Pea || 5°^). 

Similarly to our previous result, the encoding needs more 
than one step to simulate a single transition of the automaton. 
Hence, to state the result on the correspondence between the 
semantics of the automaton and its encoding, we define a 
derived transition system on 7r-terms as follows. Let P and 
Q be two TT-terms such that P — QAf P ^ vC°.(c || P') 
and Q = vC°.(c' || Q') with c, c' G C°, and none of the 
intermediate processes in the reduction from P to Q is in that 
form, then P Q- Note that even after a-renaming a term 
in the encoding, we would be able to pinpoint names from 
each C* by looking at their types, as a-renaming does not 
affect type annotations. 


prefixes can synchronise with the dual processes in parallel 
with them, activating, in j + 1 steps, the continuation C = 
yC^+^. ■ • • vC\(^c°, II II yielding the process 

P' = vCO.(Po II c° II II cl, II ||c^,p---) 

where for k between j’ + 1 and i, Rk = Ps^.- Now consider the 
forest q'[f'{T>)]: it coincides with q[f{'D)] except on the path 
we singled out, now labelled with q', q^,..., q'j and continuing 
to a leaf with nodes labelled ..., g'. It is easy to see that 

q'lrm^p'. 

To prove (B) one can proceed similarly, by observing that 
even if V\Al can perform some reductions which deadlock that 
do not correspond to reductions of the automaton, these steps 
cannot lead to a state with c^, as one of the active sequential 
processes. This claim is supported by the following easy to 
verify invariant: in any term P reachable from PlA], for each 
bound name c in P there is at most one active sequential 
subterm of P outputting on c. This is satisfied by V\A\ and 
preserved by reduction. □ 

Theorem 6. P|,A] is typably hierarchical. 


Theorem 5. The transition system generated by the semantics 
of a leveTi NDCMA A and the transition system =>co with 
P|,A] as initial state, are bisimilar. 

Proof Fix an NDCMA A = (Q, 5, qo, /o) with 6 = Uo<j<^ 
as before. We prove the theorem by exhibiting a bisimulation 
relation (^) C (Q x (V ^ Qf)) x Reach(P|A]) between 
the two transition systems. For a class memory function 
/:!?—>■ Qf, let f{V) be the Q-labelled forest with the set 
N = {d GD \ f{d) f f} as nodes, each labelled with /(d) 
and with pred^j restricted to N as parent relation. We first 
define a hierarchy of relations between Q-labelled forests 
and TT-terms, for 0 < z < f, as follows: q[{<pi,..., Pn}] 
vCL(Pe. II c; II ni<j<„^i) if’ for all 1 < J < n, pj -i+i P,. 
Since n must be 0 for i = £, the relation is well-defined. Let 
P G Reach(P|A]) and (q,f) be a reachable configuration 
of A. Then (q, f) ^ P if there exists a P' = P such that 
qo\f{D)] '-^0 P'■ To show that is indeed a bisimulation, we 
have to prove that if [q, f) ^ P then: 

(A) for each (g', /') such that {q, f) — {q', /') there is a P' 

such that P P' and {q', /') P'; 

(B) for each P' such that P =^>co P' there is a {q', /') such 

that {q,f) {q',f') and P' - {q',f'). 

To prove (A) we proceed as follows; suppose 
(di /) ~Ll (9^ f) is an application of a transition 
t = {q,qi...qj,f...,fq',q[...q'f) G Oj then the forest 
q\f{D)] has a path from the root to a leaf labelled with 
q,qi,... ,qj, which, by definition of implies that P is 
congruent to a term with the following shape: 

vC°.(Po II 4 II II 4 II • • • VCQ(P, II II Pe,) ■■■). 

By construction, Pg. = (Atr)* || R and At^. is a process 
inputting once from c° then once from each in sequence. 
From the shape of P we can conclude all of these input 


Proof. Assume an arbitrary strict total order <q on the 
automaton’s control states; let then (T, x) be the forest with 
nodes T = {Q* \ 0 < i < £,q G Q} and fj,* ^ Qb if d 
and Q' ^ if 9 d.' ^re respectively the maximum 

and minimum states with respect to <q. It can be proved 
that 0 \-j- nf(P|A]): since no messages are exchanged over 
channels, the constraints on types are trivially satisfied; for 
the same reason, no sequential term under an input prefix is 
migratable, making all the base type constraints in rule In 
trivially valid. The base type inequalities of rule Par are also 
satisfied since in Atr for tr G 9j, every Pg^, might be tied to 
any channel c in U ... U C* but can only have as free 
names channels in with h < j, which all have base types 
smaller than c. □ 

VI. Related Work 

Depth boundedness in the 7r-calculus was first proposed 
in [9] and later studied in [8] where it is proved that depth- 
bounded systems are well-stmctured transition systems. In [20] 
it is further proved that (forward) coverability is decidable 
even when the depth bound k is not known a priori. In [21] 
an approximate algorithm for computing the cover set —an 
over-approximation of the set of reachable terms—of a system 
of depth bounded by k is presented. All these analyses rely on 
the assumption of depth-boundedness and may even require a 
known bound on the depth to terminate. 

Several other interesting fragments of the 7r-calculus have 
been proposed in the literature, such as name bounded [6], 
mixed bounded [10], and structurally stationary [9]. Typically 
defined by a non-trivial condition on the set of reachable 
terms - a semantic property, membership becomes undecidable. 
Links with Petri nets via encodings of proper subsets of depth- 
bounded systems have been explored in [10]. Our type system 
can prove depth-boundedness for processes that are breadth 
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and name unbounded, and which cannot be simulated by Petri 
nets. Recently Huchting et al. [18] proved several relative 
classification results between fragments of 7r-calculus. Using 
Karp-Miller trees, they presented an algorithm to decide if 
an arbitrary 7r-term is bounded in depth by a given k. The 
construction is based on an (accelerated) exploration of the state 
space of the 7r-term which can be computationally expensive. 
By contrast, our type system uses a very different technique 
leading to a quicker algorithm, at the expense of precision. Our 
forest-structured types can also act as specifications, offering 
more intensional information to the user than just a bound k. 

Our type system is based on Milner’s sorts for the tt- 
calculus [12], later refined into I/O types [16] and their vari¬ 
ants [17]. Based on these types is a system for termination of 
TT-terms [5] that uses a notion of levels, enabling the definition 
of a lexicographical ordering. Our type system can also be 
used to determine termination of 7r-terms in an approximate 
but conservative way, by composing it with a procedure for 
deciding termination of depth-bounded systems. Because the 
respective orderings between types of the two approaches are 
different in conception, we expect the terminating fragments 
isolated by the respective systems to be incomparable. 

A rather different approach to typing 7r-terms is presented 
in [7] where behavioural types are introduced. Roughly 
speaking, the type system can extract from a 7r-term P a 
type which is itself a CCS term simulating P. Properties of 
the type (such as absence of locks) can then be transferred 
back to P by virtue of this simulation. By contrast, our types 
do not carry information about the evolution of the system; 
if a system is proved depth-bounded by the type system, its 
evolution can be analysed quite accurately using the decision 
procedures for depth-bounded systems. 

Nested Data Class Memory Automata were introduced [3] 
as an extension of Class Memory Automata to operate over 
tree-structured datasets. Without the local acceptance condition, 
NDCMA have decidable emptiness, and in the deterministic 
case are closed under all Boolean operations (see [3]). Thanks 
to these algorithmic properties, NDCMA have recently found 
applications in algorithmic game semantics [4]. 

Automata that support name reasoning have been used 
to model the 7r-calculus, going back to the pioneering 
work of History-Dependent Automata [15]. More recently, 
Tzevelekos [19] introduced Fresh-Register Automata (FRA), 
which operate on an infinite alphabet of names and use a 
finite number of registers to process fresh names; crucially it 
can compare incoming names with previously stored ones. He 
showed t\\?Afinitary 'k- terms (i.e. processes that do not grow 
unboundedly in parallelism) are finitely representable in FRA. 

VII. Future Directions 

The type system we presented in Section IV is very 
conservative: the use of simple types, for example, renders 
the analysis context-insensitive. Although we have kept the 
system simple so as to focus on the novel aspects, a number of 
improvements are possible. First, the extension to the polyadic 
case is straightforward. Second, the type system can be made 


more precise by using subtyping and polymorphism to refine 
the analysis of control and data flow. Third, the typing rule for 
replication introduces a very heavy approximation: when typing 
a subterm, we have no information about which other parts of 
the term (crucially, which restrictions) may be replicated. 

Let us explain the issue through an example. Let A = 
Tyb.Tyc.{a{c)-\-a{x).b{x))* and consider the two terms Pi = 
Va.A and P 2 = Va.A*. The typing derivations for the two terms 
are almost identical and the set of constraints they impose 
on T is the same. However Pi is depth bounded, P 2 is not. 
Therefore the type system must reject both. We briefly sketch a 
possible enhancement that is sensitive to replication. Take the 
tenn vb :tb[t].vl :ti[t]yr :tr[t].b{x).l{y).(f{x) || b{x))* which 
acts as a 1 cell buffer between I and r. This term cannot be 
typed by the current type system because l{y).{f{x) || b{x)) 
is migratable for the input h{x) thus requiring ti < 4, but at 
the same time b{y) is migratable for l{y) requiring tf, < ti, 
leading to contradiction. We propose to add to the structure of 
T a notion of multiplicities of base types; a base type can be 
marked with either 1 or oj. Suppose the forest of a term has a 
path p from a node n to a node n' where the trace of p consists 
only of base types marked with 1. This situation will represent 
the fact that no branching will ever occur between the two 
replications corresponding to n and n' and having one of the 
two names in the scope guarantees that the other one is in the 
scope too. In other words, all the restrictions represented by 
nodes in p can be though as a indivisible unit; when typing an 
input term on a name with base type t, the constraints of rule In 
can be relaxed to require the free variables of migratable terms 
to have base types smaller than the lowest t' such that the 
path between t and t' in T is formed only of base types with 
multiplicity 1. In the case of buffer example, we observe that b, 
I and r could all be assigned base types of multiplicity 1 thus 
replacing the two conflicting constraints with the constraints 
ti < t' and tb < t' where t' is the greatest among ti, p and tb- 
The formalisation and validation of this extension is a topic of 
ongoing research. 
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